If you’ve never heard of VUPEN, that’s because it isn’t your typical security company. The firm finds exploits in popular software from major technology companies like Microsoft, Apple, and Google, only to sell the details to governments around the world and various other parties willing to write massive cheques.
That’s right; the exploits aren’t reported to the companies affected, but are instead sold so that: VUPEN customers can protect themselves (while their competitors are left vulnerable), they can be abused for spying purposes, and they can be used to create malware. This is why, if you read the tweet above again, you’ll note that this latest victory was only possible thanks to multiple already-existing 0-days that VUPEN found and did not disclose publicly. If it had, it would not be able to sell them, nor would it be able to hack Windows 8, as Microsoft would have already patched the flaws long ago.